Government Technology

The Smart Grid Needs to Get Smart About Security



hacking smart meters
hacking smart meters

May 27, 2010 By

"Hacking" a smart meter or an entire grid requires no physical access -- just access to the same Internet connections used to manage the network. Reprinted with permission of MuniWireless.

With all due respect to the power companies, why should they even know how to spell IP? Their history in communications was to build stand-alone power facilities and substations connected with point-to-point microwave communication links (many times upgraded to their own dark fiber point-to-points). With this kind of money and private network capabilities, why would you ever worry about security? You lived on you own island with your own power and communications grid and everything was just fine.

Then came the smart grid. By definition, the smart grid requires a two-way digital technology to control appliances at consumers' homes to save energy, reduce cost and increase reliability and transparency. A big change for power companies and admittedly a whole new learning curve with many power companies like PG&E setting up their own test labs to begin learning this. (See Inside PGE's Smart Grid Lab -- Chris Knudsen, director of the technology innovation center at PG&E, shows what they're tinkering with).

Utility Meter

It didn't take long for problems to occur. Again, you need to understand that even smart meters were just dusted off 20-year-old designs that were lying around waiting for someone to push the power companies into the 21st century. These designs were never meant to securely send and store data real time. It wasn't long before serious security issues were found and were reported by respected security firms like InGuardian and IOactive. And we are not talking about someone hacking your PC. When it comes to the power grid, the costs of remote hack attacks are potentially more dramatic. "The cost factor here is what's turned on its head. We lose control of our grid, that's far worse than a botnet taking over my home PC," said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco. So now with little knowledge of the Internet and security the power companies have billions of dollars of grants in hand with one big problem. The grants mandate an iron-clad security platform.

To add to the smart-grid security problems some people think the power grid is the main target in the new battle in cyber wars. Richard Clarke, the former federal anti-terrorism czar, has now turned his attention to a new national security threat, putting an attack of the power grid on the front lines. In a recent Newsweek article, Clarke was quoted as saying, "The U.S. government, [National Security Administration], and military have tried to access the power grid's control systems from the public Internet. They've been able to do it every time they have tried. They have even tried to issue commands to see if they could get generators to explode. That's the famous Aurora experiment in Idaho. Well, it worked. And we know there are other real cases, like the power grid taken out in Brazil as part of a blackmail scheme. So the government knows it can be done, the government admits it can be done, the government intends to do it to other countries. Even the Chinese military has talked publicly about how they would attack the U.S. power grid in a war and cause cascading failures."

So what can we do to secure the grid now while upgrading it to smart-grid capabilities?

Ed Smith, CEO of WirelessWall has one word, "Attack." Having a military background he understands that you begin an


| More

Comments

Niall McShane    |    Commented May 29, 2010

Larry - you correctly highlight the broader security issue associated with the grid, not just the issue of personal privacy but the concern about a coordinated attack designed to bring down the grid. The first thing to note here is that the capability for such an attack already exists today as evidenced by the examples you quote in your article.

Clearly we need to improve security around the grid to try to ward off such attacks but we should also recognize that we will never reach the point where the grid is secured.

As in other fields, security is a game between the system operators and the hackers with each constantly trying to stay ahead of the other and no way to completely lock down a system and protect it from all possible attacks.

This is why we need to start the process of re-architecting the grid into smaller, localized microgrids that are loosely coupled in a federation to help balance supply and demand across wider geographic areas but which can also island from the macrogrid to prevent the propagation of faults. In this way we move from a single large target that can be attacked and that will then propagate the fault throughout the network to a large number of much smaller targets.

This is the most effective way to secure the grid from the types of attacks that you are highlighting.

Niall McShane    |    Commented May 29, 2010

Larry - you correctly highlight the broader security issue associated with the grid, not just the issue of personal privacy but the concern about a coordinated attack designed to bring down the grid. The first thing to note here is that the capability for such an attack already exists today as evidenced by the examples you quote in your article.

Clearly we need to improve security around the grid to try to ward off such attacks but we should also recognize that we will never reach the point where the grid is secured.

As in other fields, security is a game between the system operators and the hackers with each constantly trying to stay ahead of the other and no way to completely lock down a system and protect it from all possible attacks.

This is why we need to start the process of re-architecting the grid into smaller, localized microgrids that are loosely coupled in a federation to help balance supply and demand across wider geographic areas but which can also island from the macrogrid to prevent the propagation of faults. In this way we move from a single large target that can be attacked and that will then propagate the fault throughout the network to a large number of much smaller targets.

This is the most effective way to secure the grid from the types of attacks that you are highlighting.


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Best Practice Guide for Cloud and As-A-Service Procurements
While technology service options for government continue to evolve, procurement processes and policies have remained firmly rooted in practices that are no longer effective. This guide, built upon the collaborative work of state and local government and industry executives, outlines and explains the changes needed for more flexible and agile procurement processes.
Fresh Ideas In Online Security for Public Safety Organizations
Lesley Carhart, Senior Information Security Specialist at Motorola Solutions, knows that online and computer security are more challenging than ever. Personal smartphones, removable devices like USB storage drives, and social media have a significant impact on security. In “Fresh Ideas in Online Security for Public Safely Organizations,” Lesley provides recommendations to improve your online security against threats from social networks, removable devices, weak passwords and digital photos.
Meeting Constituents Where They Are With Dynamic, Real-Time Mobile Engagement
Leveraging the proven and open Kofax Mobile Capture Platform, organizations can rapidly integrate powerful mobile engagement solutions across the spectrum of mobile image capture, mobile data capture and complete mobile process integration. Kofax differentiates itself by extending capture to mobility, supporting multiple points of constituent engagement. Kofax solutions dynamically orchestrate the user’s mobile experience from a single platform—reducing time to market, improving process perf
View All

Featured Papers